aws-amplify-react-native version 2.1.10 breaks withOAuth Custom Provider Authentication

[jessedoyle]

Describe the bug

After updating aws-amplify from version 1.1.24 to 1.1.25 and aws-amplify-react-native from 2.1.9 to 2.1.10, our React Native application's authentication with a custom provider on a Cognito User Pool no longer works using the withOAuth HOC.

The error our app receives is (see screenshot 1):

NotAuthorizedException: Token is not from a supported provider of this identity pool.

At first glance, it looks like this PR introduced the bug: #3005. I have a comment on that PR that provides some initial details as well.

The upgrade also introduces a YellowBox warning in our app (see screenshot 2):

Possible Unhandled Promise Rejection (id: 0)
TypeError: undefined is not an object (evaluating 'window.location.href')

To Reproduce
Here is a code example similar to our code using the withOAuth HOC (generalized):

/*
 * @flow
 */

import React from 'react';
import {
  Button,
  StyleSheet,
  Text
  View,
} from 'react-native';
import { withOAuth } from 'aws-amplify-react-native';
import { Authenticated } from '../../views';

const styles = StyleSheet.create({
  container: {
    flex: 1,
  },
});

type Props = {
  oAuthError: ?string,
  oAuthUser: ?{},
  customProviderSignIn: Function,
  signOut: Function,
};

const SignIn = (props: Props) => {
  if (props.oAuthUser) {
    return (<Authenticated {...props} />);
  }

  return (
    <View style={styles.container}>
      <Text>Login</Text>
      <Text>{ props.oAuthError }</Text>
      <Button
        onPress={() => props.customProviderSignIn('azure')}
        title="Proceed to Login"
      />
    </View>
  );
};

export default withOAuth(SignIn);

Expected Behavior
After clicking the "Proceed to Login" button the user is redirected using the device's browser to the custom provider authentication page.

After the custom provider authenticates, the browser redirects to a deep link that opens our application and provides an OAuth2 code parameter and grant.

This process worked as expected with aws-amplify-react-native == 2.1.9 and aws-amplify == 1.1.24.

Current Behavior
On aws-amplify-react-native == 2.1.10, the custom provider authentication works successfully in the browser and the deep link redirection occurs opening our application.

After our application opens, Amplify returns the following error:

NotAuthorizedException: Token is not from a supported provider of this identity pool.

Screenshots

1 - Error

2 - Warning

[manueliglesias]

Hi @jessedoyle

I am working on a fix for this, thanks for the patience.

[jessedoyle]

@manueliglesias - Great - please let me know if you need some testing done!

Thanks!

[undefobj]

@jessedoyle can you test again with the latest version?

[jessedoyle]

@undefobj - Sounds good, I’ll test on Monday and get back to you!

[jessedoyle]

@undefobj - I'm seeing the same behaviour as originally mentioned in the issue with the following package versions:

• aws-amplify - 1.1.26
• aws-amplify-react-native - 2.1.10

The error message NotAuthorizedException: Token is not from a supported provider of this identity pool. is still returned on our app.

[StefanBuchman]

I'm also getting failures with the new versions above.

I'm seeing the following on authentication after being redirected back to the app

YellowBox.js:67 Possible Unhandled Promise Rejection (id: 0): Error: invalid_request Error: invalid_request

[jessedoyle]

@undefobj - I did a bit of debugging recently.

In React Native, the URL parameter in

amplify-js/packages/auth/src/Auth.ts

Line 1506 in d95cdac

const currentUrl = URL || window.location.href;

resolves to null.

This means that window.location.href is referenced to set the currentUrl value, but window is not defined in React Native.

I'm not sure it's safe to assume window is available in some of the core libraries.

[jessedoyle]

Okay, I think I've found the root cause of the issue.

I inspected the network activity our application makes during authentication for multiple package versions.

I tested the following versions:

"working" versions

• aws-amplify === 1.1.24
• aws-amplify-react-native === 2.1.9

"non-working" versions

• aws-amplify === 1.1.26
• aws-amplify-react-native === 2.1.10

In both cases, a request with the following form was made:

# request
POST cognito-identity.{{ region }}.amazonaws.com

# headers
x-amz-target:AWSCognitoIdentityService.GetId

# body
{
  "IdentityPoolId": "{{ identity-pool-id }}",
  "Logins": {
    "cognito-idp.{{ region }}.amazonaws.com/{{ user-pool-id }}": "{{ id_token }}"
  }
}

# response body
{
  "__type": "NotAuthorizedException",
  "message": "Token is not from a supported provider of this identity pool."
}

With the "working" package versions, the error was not propagated up via props.

With the "non-working" package versions, the error is delivered via props post authentication. I believe that we'll have a configuration change on our identity pool to accept an alternate user pool as a provider.

After debugging, the main concern we have with the recent releases is the yellowbox warning due to the issue mentioned here.

[undefobj]

@jessedoyle Interesting, sounds like you've got a User Pool that is independent of your Identity Pool which is causing an error that was previously being swallowed but is now (correctly) bubbling up. We can look at fixing this, however is there a reason why you don't have the User Pool and Identity Pool connected?

[jessedoyle]

@undefobj

however is there a reason why you don't have the User Pool and Identity Pool connected?

Nope, it's a configuration error on our end. We're not using the identity pool yet, so the error went under the radar for a while.

[mkrn]

I can confirm the similar behavior,

Having new undefined is not an object (evaluating window.location.href) warning now on start.

Also, the withOAuth + props.facebookSignIn flow doesn't authenticate the user. I'm getting the code correctly via my urlOpener but the aws-amplify lib fails to sign in the user... Currently trying to debug this, as this used to work..

[mkrn]

I was able to debug further to get to where it fails for me:
https://github.com/aws-amplify/amplify-js/blob/master/packages/auth/src/OAuth/OAuth.ts#L144

body is a string like:
grant_type=authorization_code&code=xxxxx-a6b7-4a91-882b-056265892fbe&client_id=xxxxxx&redirect_uri=xxxx%3A%2F%2FsignIn&code_verifier=xxxxxxxVLOJ97XlmdkN94bbjCVqpAgjYhAKOBNsAPje6neAOiu3Z2Fh

oAuthTokenEndpoint is https://xxxxx.auth.us-east-1.amazoncognito.com/oauth2/token

Error is invalid_request
I was able to pass same parameters to POSTMAN and successfully get tokens back

It seems to do with urlEncoding & using URLSearchParams

I'm using Cognito User Pool with Facebook Federated Identity Provider.

Any help greatly appreciated!

[mkrn]

Before anyone spends too much time: this issue apparently is related to RN 0.59.0 and the way they implemented URLSearchParams
facebook/react-native#23922
🤢

[calboru]

Any solution yet? I have the same problem here.

[mkrn]

Looks like we're discussing 3 different issues:

• undefined is not an object evaluating window.location.href Warning
• Fail to do Cognito federated identity sign in OAuth flow RN 0.59 and Cognito federated identity OAuth flow failure #3183
• Fail with Token is not from a supported provider of this identity pool using federated identity pools

[jessedoyle]

@calboru - In our case, the authorization error was bubbling up because we had our Identity Pool misconfigured (double check the "Authentication Providers" configuration section for your Identity Pool).

The only remaining issue we have with the recent releases are the YellowBox warnings on React Native.

I've submitted a PR to fix the bug here: #3230.

[dinukasal]

I also got this error,
versions, aws-amplify: 1.1.27
aws-amplify-react-native: 2.1.11
It seems we cannot use amplify in react native for social login.

[rohitjain-dev]

I am facing the same issue can anyone help ??

[github-actions]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.